RHEcosystemAppEng · RedTanny · Apr 15, 2026 · Apr 19, 2026 · Apr 19, 2026 · Apr 20, 2026
diff --git a/.tekton/on-pull-request.yaml b/.tekton/on-pull-request.yaml
@@ -251,6 +251,7 @@ spec:
                 # This is handled in the Makefile's lint-pr target and should be reverted after migration.
                 make lint-pr TARGET_BRANCH=$TARGET_BRANCH_NAME
 
+
                 print_banner "RUNNING UNIT TESTS"
                 make test-unit PYTEST_OPTS="--log-cli-level=DEBUG"
 

diff --git a/Dockerfile b/Dockerfile
@@ -32,7 +32,13 @@ ENV PYTHONDONTWRITEBYTECODE=1
 ENV AGENT_GIT_COMMIT=${AGENT_GIT_COMMIT}
 ENV AGENT_GIT_TAG=${AGENT_GIT_TAG}
 
+# System dependencies:
+# - build-essential: Required for compiling Python packages with native C extensions
+#   (e.g., psutil, cryptography, cffi) during `uv sync`. Also needed for libkrb5-dev.
+# - libarchive-tools: Provides bsdtar for extracting RPM/SRPM archives in the checker
+# - libkrb5-dev: Kerberos headers for gssapi Python package (Brew authentication)
 RUN apt-get update && apt-get install -y \
+      build-essential \
       ca-certificates \
       curl \
       git \
@@ -42,6 +48,7 @@ RUN apt-get update && apt-get install -y \
       libarchive-tools \
       xz-utils \
       libatomic1 \
+      libkrb5-dev \
     && apt-get clean \
     && rm -rf /var/lib/apt/lists/* \
     && update-ca-certificates

diff --git a/README.md b/README.md
@@ -192,6 +192,7 @@ The current default embedding NIM model is `nv-embedqa-e5-v5`, which was selecte
 
 * [git](https://git-scm.com/)
 * [git-lfs](https://git-lfs.com/)
+* bsdtar (from libarchive) - Used for extracting RPM source archives. Install via `apt install libarchive-tools` (Debian/Ubuntu) or `dnf install bsdtar` (Fedora/RHEL).
 * Since the workflow uses [NVIDIA NeMo Agent Toolkit](https://docs.nvidia.com/aiqtoolkit), the [NeMo Agent toolkit requirements](https://docs.nvidia.com/aiqtoolkit/latest/quick-start/installing.html#prerequisites) also need to be installed.
 
 ### Obtain API keys

diff --git a/kustomize/base/exploit-iq-config.yml b/kustomize/base/exploit-iq-config.yml
@@ -84,6 +84,11 @@ functions:
   Code Keyword Search:
     _type: lexical_code_search
     top_k: 5
+  Source Grep:
+    _type: source_grep
+    base_checker_dir: ${EXPLOIT_IQ_DATA_DIR:-/exploit-iq-data/}checker
+    max_results: 50
+    context_lines: 2
   CVE Web Search:
      _type: serp_wrapper
      max_retries: 5
@@ -156,6 +161,38 @@ functions:
     generate_intel_score: true
     intel_low_score: 51
     insist_analysis: false
+  cve_source_acquisition:
+    _type: cve_source_acquisition
+    base_git_dir: ${EXPLOIT_IQ_DATA_DIR:-/exploit-iq-data/}git
+    base_pickle_dir: ${EXPLOIT_IQ_DATA_DIR:-/exploit-iq-data/}pickle
+    base_rpm_dir: ${EXPLOIT_IQ_DATA_DIR:-/exploit-iq-data/}rpms
+    base_checker_dir: ${EXPLOIT_IQ_DATA_DIR:-/exploit-iq-data/}checker
+    rpm_user_type: ${RPM_USER_TYPE:-internal}
+  cve_checker_segmentation:
+    _type: cve_checker_segmentation
+    base_checker_dir: ${EXPLOIT_IQ_DATA_DIR:-/exploit-iq-data/}checker
+    base_code_index_dir: ${EXPLOIT_IQ_DATA_DIR:-/exploit-iq-data/}code_index
+  cve_package_code_agent:
+    _type: cve_package_code_agent
+    llm_name: cve_agent_executor_llm
+    base_checker_dir: ${EXPLOIT_IQ_DATA_DIR:-/exploit-iq-data/}checker
+    base_code_index_dir: ${EXPLOIT_IQ_DATA_DIR:-/exploit-iq-data/}code_index
+    rpm_user_type: ${RPM_USER_TYPE:-internal}
+    tool_names:
+      - Source Grep
+      - Code Keyword Search
+  cve_checker_report:
+    _type: cve_checker_report
+    llm_name: cve_agent_executor_llm
+    base_checker_dir: ${EXPLOIT_IQ_DATA_DIR:-/exploit-iq-data/}checker
+  cve_build_agent:
+    _type: cve_build_agent
+    llm_name: cve_agent_executor_llm
+    base_checker_dir: ${EXPLOIT_IQ_DATA_DIR:-/exploit-iq-data/}checker
+    max_iterations: 10
+    tool_names:
+      - Source Grep
+      - Code Keyword Search
   health_check:
     _type: health_check
 
@@ -248,6 +285,11 @@ workflow:
   cve_summarize_name: cve_summarize
   cve_justify_name: cve_justify
   cve_output_config_name: cve_http_output
+  cve_source_acquisition_name: cve_source_acquisition
+  cve_checker_segmentation_name: cve_checker_segmentation
+  cve_package_code_agent_name: cve_package_code_agent
+  cve_checker_report_name: cve_checker_report
+  cve_build_agent_name: cve_build_agent
 
 eval:
   general:

diff --git a/kustomize/base/exploit_iq_service.yaml b/kustomize/base/exploit_iq_service.yaml
@@ -122,6 +122,8 @@ spec:
               value: "True"
             - name: EXPLOIT_IQ_DATA_DIR
               value: /exploit-iq-data/
+            - name: RPM_USER_TYPE
+              value: "internal"
             - name: NAMESPACE
               valueFrom:
                 fieldRef:

diff --git a/pyproject.toml b/pyproject.toml
@@ -35,6 +35,8 @@ dependencies = [
   "litellm<=1.75.8",
   "csaf-tool==0.3.2",
   "jsonschema>=4.0.0,<5.0.0",
+  "koji",
+  "unidiff>=0.7.5",
 ]
 requires-python = ">=3.11,<3.13"
 description = "NVIDIA AI Blueprint: Vulnerability Analysis for Container Security"

diff --git a/src/exploit_iq_commons/data/hardening_kb/__init__.py b/src/exploit_iq_commons/data/hardening_kb/__init__.py
@@ -0,0 +1,14 @@
+# SPDX-FileCopyrightText: Copyright (c) 2025, NVIDIA CORPORATION & AFFILIATES. All rights reserved.
+# SPDX-License-Identifier: Apache-2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.